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Abstract. In designing a stream cipher, Cellular Automata (CA) in particular the 
nonlinear CA play an important role. Wolfram identified Rule 30 as a powerful 
nonlinear function for cryptographic applications. However, Meier and Staffelbach 
mounted an attack (MS attack) on Rule 30 CA. Some of the CA based stream 
ciphers have shown to be resistant against popular known attacks, but none of these 
ciphers consider MS attack as a security threat. This paper analyzes maximum 
period nonlinear hybrid CA (M-NHCA) with nonlinearity injection into single and 
multiple inject point(s) and shows that the M-NHCA with multiple inject points 
is secure against MS attack. We present a design construction of a stream cipher 
employing both a maximum period linear hybrid CA (M-LHCA) and an M-NHCA 
in conjunction with a rotational symmetric bent function. The proposed cipher has 
also been analyzed in aspect of known popular attacks in particular, the fault attack 
against which most of the eStream candidates like Grain-128 are vulnerable. The use 
of CA gives an additional benefit of a scalable architecture. The cipher is hardware 
efficient which is evident from FPGA implementation. 

Keywords: Stream cipher • Cryptanalysis • Cryptographic attacks • Cellular Automata 
■ FPGA implementation 


1 Introduction 

A stream cipher is a symmetric key cipher where plaintext digits are combined with a 
pseudorandom keystream. In a stream cipher, each plaintext digit is encrypted one at a 
time with the corresponding digit of the keystream, to produce a digit of the ciphertext. 
Stream ciphers have gained popularity in recent years in resource constrained environments. 
The eSTREAM project started in 2004, introduced a number of stream ciphers in hardware 
and software efficient environments. The winners of the eSTREAM portfolio ciphers are 7 
candidates, 4 in software category and 3 in hardware category. A number of cryptanalysis 
of ciphers are studied by the research community. Side Channel Attack (SCA) of stream 
ciphers is one class of analysis of strength of the ciphers, which includes power analysis, 
fault analysis and timing analysis. Fault attacks constitute one of the most interesting 
Side Channel Attacks. Most of the ciphers in the eStream portfolio are susceptible to fault 
attacks [HS04], [BMS12], [HR08]. To overcome these problems, Cellular Automata (CA) 
were proposed as one possible candidate to prevent attacks [KRllb]. 

CA are very powerful computational model. The self-evolving nature of CA has 
numerous applications including the generation of good pseudorandom sequences. Its high 
diffusion property makes CA a very attractive candidate for crypto-primitives. Rule 30 CA 
has long been considered a good pseudo-random generator and studied for cryptography 
[Wol85], [Wol86]. It passed various statistical tests for pseudo-randomness with good 
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results, until Meier and Staffelbach proposed an attack, called MS Attack [MS91]. In 
literature, NOCAS [KRllb], CASca [GR15], CASTREAM [DR14], CAR30 [DR13] are 
all Grain-like ciphers where LFSR is replaced by Linear CA and NFSR is replaced by 
nonlinear CA. In all these CA based ciphers and in Grain-128 [HJMM06], a feedback path 
is incorporated from linear block to nonlinear block and faults introduced in the Linear 
block (LFSR in case of Grain-128) propagate to the nonlinear block (NFSR in case of 
Grain-128) and hence, it is a weakness of all these works in aspect of the fault attack. 
Moreover, these works did not consider the MS attack though it is a real threat against a 
CA based cipher. 

In this work, we study nonlinear rules of M-NHCA and show that M-NHCA with 
nonlinear function injections into multiple inject points provide a maximum length cycle 
as well as better cryptographic primitives and they are also secure against MS attack. 
We propose a design of a stream cipher using an M-NHCA and an M-LHCA. In the 
proposed cipher, there is no need of any feedback path from the linear block to nonlinear 
block because of using both maximum period nonlinear and linear CA, and a rotational 
symmetric bent function which makes the mixing of contents of the linear and nonlinear 
CA. Hence, this cipher overcomes the weakness of fault propagation as mentioned earlier. 
The design of the cipher prevents known popular attacks. The security of the proposed 
cipher is analyzed in the light of related attacks. The main contribution of this work can 
be summarized as follows: 

• To design an attack resistant stream cipher using cellular automata 

• Introducing multiple nonlinearity injection points to the maximum period nonlinear 
hybrid CA (M-NHCA) to increase nonlinearity, and establishing a proof of maximum 
periodicity of the M-NHCA 

• Security analysis of the M-NHCA against MS attack 

• Detailed security analysis of the proposed stream cipher with a special emphasis to 
fault attacks 

• Hardware implementation of the cipher on FPGA platform 

The rest of this paper is organized as follows. The design architecture and working principle 
of the proposed cipher are shown in Section 2. Section 3 describes the design rationale 
of each component of the cipher. The detailed security analysis is furnished in Section 4. 
The robustness of the cipher against the existing cryptanalysis techniques with a special 
focus on MS attack is also studied in detail in this section. The hardware implementation 
results on Xilinx Spartan 3 XC3S200-4FT256 FPGA platform are depicted in Section 5. 
Finally, the paper is concluded in Section 6. 

2 Design Architecture 

A new stream cipher using maximum period linear and nonlinear CA has been briefly 
introduced in [MGR17]. In this work, we present the details of the security analysis and 
show how CA can be used as a better crypto-primitive in designing an attack resistant 
stream cipher. The cipher is also shown to be hardware efficient when impfemented on 
FPGA. The cipher consists of three building blocks, a Linear Hybrid Cellular Automata 
(LHCA), a Nonlinear Hybrid Cellular Automata (NHCA) and a final combiner function 
h(-). The overview of the design can be found in Fig. 1. In the following subsections, 
the workings of all the building blocks are illustrated in detail along with a discussion 
about the scalable architecture of the design. Finally, we describe how the cipher must be 
initialized with the key and the initialization vector (IV). 
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Figure 1: Overview of the design of the cipher 



Figure 2: M-LHCA with rule vector [1, 1, 0, 0, 1] 


2.1 Linear Block 


This block uses a 128-bit maximum period LHCA (M-LHCA) C denoted by {so, si, ■ • • , S 127 } 
where Si denotes the state of the i th cell of C. A primary knowledge of cellular automata 
is required for the remainder of the paper. So before delving into further details, we start 
by briefly discussing some basic notions of CA. 

A cellular automata is a linear finite state machine that consists of an array of n-cells 
represented by {so, Si, • • • , s n _i}, each cell capable of storing a single bit. If the state of a 
cell at a given instant is dependent upon the neighboring cells including itself, then it is 
called a 3-neighborhood CA. However, out of all possible Boolean functions, called rules, 
only two are of prime interest i.e. Rules 90 and 150 (ascertained from the decimal value 
of their position in the truth table). The state transition function of the i th cell can be 
expressed as: 


fi — &i— 1 © di-Si © di 


0, if Si follows Rule 90 
1, if Si follows Rule 150. 


Thus, an LHCA can be completely specified by a combination of Rules 90 and 150, denoted 
as an n -tuple [d 0 , d\, ■ ■ ■ , d ra _i]. For example, a 5-cell M-LHCA with rule vector [1,1, 0,0,1] 
is shown in Fig. 2. Further details of CA can be found in [CRNC97]. 

The M-LHCA C used in the design is selected in a way to ensure maximum periodicity. 
This is accomplished by exploiting an important result [CRNC97], where a one-to-one 
correspondence between a maximum period LHCA and a primitive polynomial was proved. 
Also, in another pioneering work [CM96] on CA, an algorithm for synthesizing an LHCA 
from a given irreducible polynomial was presented by Cattell and Muzio. As primitive 
polynomials are also irreducible in nature, this effectively reduces the problem of finding a 
maximum length LHCA to that of selecting a readily available primitive polynomial. In 
our work, the characteristic polynomial of C , denoted by f(x) 7 is a primitive polynomial 
defined as: 

fix) = x 128 + x 29 + x 27 + x 2 + l 

The rule value of the M-LHCA C synthesized from f(x), a primitive polynomial of degree 
128, is given as 0a;48882FRZ?67031A7A7A79C'0A6i?DF41112. For the sake of simplicity, 
the rule value of the CA is given in hexadecimal notation i.e. a CA rule value 0xA5 denotes 
the rule vector [1, 0,1,0,0,1,0,1]. In the following subsection, the nonlinear component is 
discussed in detail. 
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2.2 Nonlinear Block 

This block uses a 128-bit maximum period Nonlinear Hybrid Cellular Automata (M- 
NHCA) A/” represented by { 60 , bi, • ■ ■ , b 127 } which is synthesized from a 128-bit maximum 
period Linear Hybrid Cellular Automata (M-LHCA). A synthesis algorithm is explained 
in [GSSR14], which produces a synthesized M-NHCA from an M-LHCA with nonlinearity 
injection at a single injection point. In this work, we remove the restriction of single 
injection point, and introduce multiple injection points to increase nonlinearity of the 
synthesized M-NHCA. A preliminary concept of injecting nonlinearity at multiple points 
is briefly introduced in [MC18]. In this work, we explore this method along with the 
analytical behavior of the CA with multiple nonlinearity injection points. The following 
section presents the synthesis of the NHCA with an example in detail. 

2.2.1 M-NHCA with Nonlinearity Injection into Multiple Inject Points 

The following algorithm is an NHCA Synthesize Algorithm for nonlinearity injection with 
multiple inject positions. 


Algorithm 1 NHCA Synthesize Algorithm with Multiple Inject Points 
Input: An n-bit maximum period linear hybrid CA with ruleset J-f/. A set of m positions 
{*i, * 2 , • ■ •, i m } to inject nonlinear functions, where 1 < < 12 < ■ ■ • < im < n — 2 and 

|j — k | > 4 for j, k G {ii, *2, • ■ ■ , im}', The set S of cells of the LHCA 


Output: A maximum period NHCA ruleset Fn 


1 . 

2 . 

3. 

4. 

5. 

6 . 

7. 

8 . 

9. 


Fn t— FL 


Let Fn = { fn—i 7 • • • , /o} > Cell updated functions 

For all j G {ii, * 2 , • • • ,i m } 


X C S :\/x £ X,x N (j) > Select a subset from S, N (j) denotes the neighbor 

set of j th cell i.e., the cells in positions j — 1 , j, j + 1 


P<-W) 


fj G- fj ® p 

(fj fj- pi) 

fj G- fj® P 


> fN is a nonlinear function 

> Inject P into the j th cell 

> Apply shifting operation from (j — l) th to (j + l) th cells 
> Inject updated P into the j th cell 


End For 

Return Tby 


Let an n-bit M-NHCA be synthesized from an n-bit M-LHCA of the rule vector 
[g?o> di, ■ ■ ■ , d, 1 - 1 ], and with nonlinearity injections into m number of inject points denoted 
by h, i 2 , • • •, i m , where 


, _ f 0, if i th cell follows Rule 90 

1 } 1, if i th cell follows Rule 150. 

Let the synthesized M-NHCA be represented by {b 0 , b\, ■ ■ ■ , 6 „_i}, where 6 , denotes the 

state of the i th cell of M-NHCA and m number of cells for m inject points be denoted 

by bi 1 , bi 2 , • • •, bi m , where 1 < i\ < i 2 < ■ ■ • < i m < n — 2 and \k — l\ >4 for k, l 
£ {4l 5 ^2; * j im } • 
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By the synthesis algorithm, we consider that a nonlinear function /at(R’) is injected 
into the j th cell (Algo 1, step 6), where X = {bj_ 2 ,bj+ 2 } (Algo 1, step 4) and Jn{X) = 
{bj- 2 .bj +2 ) (Algo 1, step 5). Therefore, the state transition function of j th cell is updated 
as 

fj = bj -1 ® dj.bj ® bj + 1 ® fiy(bj - 2 , bj+2) 

By the shifting operation (Algo 1, step 7), the state transition functions of (j — l) th , j th , 
(j + l) th cells are updated as 

fj —l = bj ~2 ffi dj—j.bj-i ® bj ® f]y(bj- 2, bj+2) 

fj = bj -1 ® dj.bj ® bj +1 ® ff{{bj— 2, bj +2 ) ® (dj + l).//v(&j-2, bj+2) 
fj+i = bj ® dj+i.bj+i ffi bj+ 2 ffi fi\r(bj- 2 , bj+ 2 ) 

Finally, the state transition function of j th cell is updated (Algo 1, step 8) as 

fj = bj -1 © dj.bj ffi bj +1 ffi dj.f N (bj- 2 , bj+ 2 ) ffi /jv(/j- 2, fj+2) 

where, /jy(/■,■_ 2 , fj+2) = {fj-i-fj+2) is the updated function-value of the injected nonlinear 
function. Here, fj- 2 , fj+2 denote the updated values of (j — 2) </l and (j + 2) t/l cells 
respectively (Algo 1, step 1), that is, 

fj -2 = bj -3 ffi dj—2-bj— 2 ffi bj -1 
fj+2 = frj+1 ffi dj+2-bj+2 ffi bj+3 


After synthesis (Algo 1, step 9), the update functions (nonlinear) of (j — 

(j + l) th cells of the synthesized M-NHCA are as follows: 

fj- 1 = bj—2 ffi dj-i.bj-i ffi bj ffi fN(bj—2i bj+ 2 ) 

fj = bj -1 ffi dj.bj ffi 6j+i ffi dj.fiy(bj-2, bj+2 ) © fN(fj-2, fj+2) 
fj+i = bj ffi dj+i-^j+i © bj+ 2 ffi fx{bj-2 1 bj+2) 

for all j £ {* 1 , * 2 ) ■' * dm}- The update functions (linear) of all other cells of the synthesized 
M-NHCA are as underlying M-LHCA (Algo 1, step 1). 

For multiple injection points, we consider the following criteria: 

1. Nonlinear functions can be injected in cell position i, 2 < i < n — 3 such that the 
injected nonlinear function fN(bi- 2 ,bi+ 2 ) = ( 6 j -2 • bi+ 2 ) can be formed properly. 

2. To retain the maximum length cycle, there must be at least three cells in between 
any two inject positions; that is, if j and k be two inject positions then there must 
be \k — l\ >4; otherwise, the neighboring cells in between two inject positions will 
be affected simultaneously by both injections. 

Algorithm 1 to synthesize an M-NHCA is explained with the following example which 
clearly illustrates how an M-NHCA can be synthesized by injecting nonlinear functions 
into two selected positions of an M-LHCA. 

Example 1. Let us consider a 9-bit M-LHCA C! denoted by {b 0l bi,b 2 ,b 3 ,b 4 ,b 5 ,be,bT,bs} 
depicted in Fig. 3 with rule vector [0, 1, 0, 0, 1, 1, 1, 0, 0]. The state transition functions 
of the M-LHCA are as follows: 

fo =h f 3 = b 2 ffi 64 fg = b 5 ffi be ffi 67 

fi = ^0 © b\ ffi b 2 f\ = b 3 ffi 64 ffi 65 fj = b 6 ffi bg 

,/*2 = b± ffi 63 f§ = &4 © ^5 © ^6 fs = bj 
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Nonlinear function injection Nonlinear function injection 


WV »4> f NL< b 4. b 8> 



Figure 3: Nonlinear function injection at two cell positions of an M-LHCA £ 


where hi is the current state and /, is the next state of the i th cell of £. Let the 
nonlinear function f/ibo, 64 ) = (b 0 ■ bf) be injected at position 2 , and the nonlinear 
function / jv(6 4, b$) = (64 • bs) be injected at position 6 (Algorithm 1, step 6 ). By Algorithm 
1, the state transition functions of the synthesized M-NHCA A f are as follows: 


fo = h 

fi = bo © bi © b 2 ® (bo-bi) 

/2 = © &3 © (&l.(&3 © 64 © 65)) 

/3 = b 2 © © (bo-bi) 

fi = &3 © bi © 65 


/s = bi © 65 © &6 © (bi-bs) 

fc = 65 © £>6 © 67 © ( bi . bs ) © ((63 © 64 © 65).67) 
/V = &6 © ^8 © (bi-bs) 
fs = by 


The following theorems show that nonlinear function injections into single/multiple 
inject position(s) of an M-LHCA generate a maximum period NHCA (M-NHCA). 

Theorem 1. Nonlinear function injection into a single inject position of a 3-neighborhood, 
90/150 maximum period linear hybrid cellular automata (M-LHCA) generates a maximum 
period nonlinear hybrid cellular automata (M-NHCA). 

Proof. Let C be an n-cell 3-neiglrborhood null boundary maximum period LHCA denoted 
by {^o, Xi, ■ ■ ■ , x n _i} with rule vector [d 0 , d\, ■ ■ ■ , 1 ], where, dj = 0 (Rule 90) / 1 (Rule 

150), 0 < j < n — 1, and the state transition function of j th cell for all j, 0 < j < n — 1, is 
defined as: 

fj = Xj -1 © dj.Xj © Xj + 1 

According to the Algorithm 1, if a nonlinear function injection is made into the i th cell 
of underlying LHCA C , 1 < i < n — 2, with a nonlinear function 

$N (Xi— 2, Xi-\-2 ) — (Xi—2 ' Xi-\- 2) 

then finally, all cells of synthesized NHCA except the neighboring cells of i, follow 90/150 
rule vector of underlying LHCA (Algo. 1, step 1) and the updated state transition functions 
(nonlinear) of (* — 1 ) th ,i th , (i + l) t/l cells of synthesized NHCA are as follows (Algo. 1, 
step 9): 

fi -1 = Xi - 2 © di-i-Xi-i ®Xi® f N (Xi-2,X. l+2 ) 
fi = Xi -1 © di-Xi © X i+1 © di-f N (Xi-2,Xi + 2) 

© /jv(/i- 2 > fi+ 2 ) 

fi+1 = Xi® di+i-Xi+1 © X i+2 © fN(Xi-2,X i+2 ) 
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-: LHCA state transition 

- : NHCA state transition 

a, b, x, y, z, p, q, r, d|£ {0,1} 


Figure 4: Effect of nonlinear function injection by shifting operation 



-: NHCA state transition by shifting operation 

- : NHCA state transition by synthesis 

a, b, x, y, z, p, q, r, d j e {0, 1} 


Figure 5: Effect of nonlinear function injection by synthesis 


Let Q be a state in the maximum length cycle of underlying LHCA and Q nex t be the 
next state of Q. In the state Q (ref. Fig. 4), let the bit values of the bit vector positions 
(i — 2,i — l,i,i + 1, i + 2) be denoted by (1 ,p, q, r, 1), where p, q, r £ {0,1}. After shifting 
operation, non-zero value of the injected nonlinear function (i.e. /at(1, 1) = 1) changes 
the truth values of ( x,y,z ) in the bit vector positions (i — l,i,i + 1) of the state Qnext- 
Therefore, it reaches a state R ne xt in the maximum length cycle of underlying LHCA. 
The previous state of R ne xt , denoted by R surely contains the same bit values with that 
of the state Q except the content of the i th cell. The contents of the i th cell of Q and 
R are complement each other. At the end of shifting operation, non-zero value of the 
injected nonlinear function changes the next states of Q and R and hence, the next states 
Qnext and R n ext are interchanged. That means the function /jv(1,1) for the pair (Q,R) 
changes their next states to ( R n exti Qnext)- Therefore, the maximum length cycle of the 
underlying LHCA splits up into two cycles (ref. Fig. 4), where Q lies in one cycle and R 
lies in another cycle. Hence, the shifting operation splits up the maximum length cycle of 
underlying LHCA into a number of cycles for concerning all nonzero states (i.e. 2 n — 1 
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states) and every nonzero state lies in any one cycle. 

Let Qprev and R pre v be the previous states of Q and R, respectively in the state 
transition graph after shifting operations (Fig. 5), that means the pair ( Q,R ) is a 
reachable pair from (Q prev , R prev ). The contents of the i th cell of Q and R are complement 
each other and the contents of the (i — 2) th and (z + 2) th cells of Q and R are l’s. By 
synthesis (Algo. 1, step 8), the nonlinear function /,v(/i- 2 - fi+'i) = /jv( 1, 1) injected on 
the i th cell of the states Q and R evaluates to 1, and therefore, previous states of Q and R 
(i.e.Q prev , Rprev) are interchanged, and hence two cycles are joined (Fig. 5). 

Every (Q, i?)-like pair makes interchange their next states by shifting operations (Algo. 
1, step 7), and interchange their previous states in the state transition graph by synthesis 
(Algo. 1, step 8). Therefore, at the end of synthesis all cycles are joined into a one cycle of 
all nonzero states (i.e. 2 n — 1 states), which is a maximum length cycle. □ 

Theorem 2. Nonlinear function injection into multiple inject positions of a 3-neighborhood 
90/150 maximum period linear hybrid cellular automata (M-LHCA) generates a maximum 
period nonlinear hybrid cellular automata (M-NHCA). 

Proof. We prove the theorem by mathematical induction. Let C be an n-cell 3-neighborhood 
null boundary maximum length (i.e. 2" — 1) cycle LHCA denoted by {cco, x\, ■ • • , x n -±} 
with rule vector [do, d±, ■ ■ ■ ,d n _i], where, dj = 0 (Rule 90) / 1 (Rule 150), 0 < j < n — 1, 
and the state transition function of j th cell is defined as: 

fj = Xj -1 ® dj.Xj © Xj + 1 

Let nonlinear function be injected into m no. of cells, ay,, Xi 2 , • ■ ■, ay m of underlying 
LHCA C such that 1 < zi < z 2 < ■ ■ ■ < i m < n — 2 and \j — k\ > 4 for j , k £ {*i, * 2 , • • • , z m }. 

Basis step: After 1st injection into cell x j 1( the synthesized NHCA produces a maximum 
length cycle C\ by Theorem 1. In cycle C \, the cells of positions Zi — 1 to Zi + 1 are 
updated by 90/150 rules (i.e. linear updation by Algo 1, step 1) as well as by nonlinear 
function (i.e. nonlinear updation by Algo 1, steps 6, 7, 8), but the cells of positions 12 — 2 
to *2 + 2 are only updated by 90/150 rules (Algo 1, step 1) of underlying LHCA and in C\, 
the 1st injection on cell Xi 1 does not affect (i.e. nonlinear updation) the cells of positions 
i i 2 — 2 to *2 + 2 because of |zi — * 2 1 >4. Therefore, after nonlinear function injection into 
ay 2 , the generated cycle C 2 is also a maximum length cycle by Theorem 1. 

Inductive hypothesis: Suppose, the synthesized NHCA produces a maximum length 
cycle Ck after nonlinear function injections into k no. of cells ay,, x, 2 , • • •, x. lk , where 
k < m. 

Inductive step: In cycle Ck, all injections into ay,, ay 2 , ay,, do not affect (i.e. 
nonlinear updation) the cells of positions z^+i — 2 to Zfc+i + 2. Ck is a maximum length 
cycle by induction hypothesis. After nonlinear function injection into cell ay fc+1 produces a 
cycle Ck -)-i which is also a maximum length cycle by Theorem 1. Therefore, for multiple 
nonlinear function injections into m cells of underlying LHCA produces a synthesized 
NHCA of a maximum length cycle. □ 

2.2.2 Nonlinearity with Iterations. 

Nonlinearity is a cryptographic property of a Boolean function. The minimum of the 
Hamming distances between a Boolean function and all affine functions involving its input 
variables is known as the nonlinearity of the function [CS09], [MVV97]. 

Nonlinearity of M-NHCA increases more with iterations by injecting nonlinear function 
in multiple inject points than single inject point. Details of computing nonlinearity of some 
synthesized M-NHCA with single and multiple inject point(s) are presented in Table 1. 
The underlying M-LHCA is synthesized [CM96] from a primitive polynomial represented 
as a listing of non-zero coefficients. For example, the set (9, 4, 0) in the 1st column of 
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Table 1 represents the polynomial x 9 + x 4 + 1 (primitive) for a 9-bit M-LHCA denoted 
by (bo, ■ ■ ■ , fog). The set (i,j, k) in the 2nd column represents that nonlinear function is 
injected in i th , j th and k th cell positions simultaneously. Table 1 clearly illustrates that 
the nonlinearity of M-NHCA increases more in multiple inject points than single inject 
point. 


Table 1: Nonlinearity of different M-NHCA with iterations 


M-LHCA 

Polynomial 

(primitive) 

Nty 

Inject 

position(s) 

CA cell 

for 

Nty 

Nty with iterations 

1 

2 

3 

4 

5 

6 

7 

9, 4,0 

2 

^2 

4 

16 

64 

128 

128 

128 

128 

2, 6 

^2 

4 

32 

128 

192 

192 

128 

192 

10, 3, 0 

3 

bo 

48 

8 

64 

128 

128 

256 

256 

3,7 

bo 

48 

16 

64 

192 

256 

256 

384 

11, 9, 8, 3, 0 

3 

bo 

48 

32 

32 

256 

512 

64 

256 

3,7 

bo 

48 

64 

32 

256 

768 

64 

256 

12, 7, 4, 3, 0 

3 

bo 

48 

64 

64 

32 

32 

512 

512 

3, 8 

bo 

48 

64 

128 

32 

48 

768 

768 

14, 12, 11, 1, 0 

5 

bo 

48 

32 

512 

512 

1024 

1024 

1024 

5, 9 

bo 

48 

64 

1024 

512 

1024 

1024 

2048 

16, 5, 3, 2, 0 

5 


48 

32 

512 

512 

512 

1024 

1024 

5, 9 


48 

64 

1024 

512 

1024 

1024 

1024 

32, 28, 27, 1, 0 

11 

fon 

16 

64 

512 

2048 

2048 

3072 

3072 

7, 11, 

15, 19 

fon 

16 

256 

2048 

3072 

4096 

4096 

4096 


Nty = Nonlinearity 


In the proposed cipher, the nonlinear block is designed with a synthesized M-NHCA A f. 
For synthesis, any 128-bit M-LHCA with 90/150 rule vectors can be taken as the underlying 
M-LHCA. In our design, the M-NHCA A f is synthesized from the same M-LHCA (as 
described in Section 2.1) with multiple injection points. The set of injection points, denoted 
as X, is as follows: 

X = {13,17,29,33,44,48,64,68, 77,81,93,97,109,113}. 

Finally, the next subsection describes the details of the combiner function. 

2.3 Combiner Function h(-) 

The function h(-) can be expressed as a combination of two parts, a linear function hi(-) 
and a bent function hbent('), as follows: 

/i(*) = hbent(‘') © ^d(') 

Before stating the specification of h(-) used in the proposed cipher, we furnish some basic 
concepts of a rotational symmetric Boolean function [CS09]. 

Let {xo, Xi, ■ ■ ■ , x n } be the set of input bits to a Boolean function /(•). For 0 < j < n— 1, 
we define the rotational shifting operation as : 

P^ (Xi) — £(z+j)moG£(n) 
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This definition can be extended for a Boolean function f s (-) as follows: 

p’ifsix > X n -\)) = fsip’ix ,P 3 {x n - 1 )) 

A rotational symmetric function is a defined as the summation of all the rotationally 
permuted terms of a base element which is called the short ANF. The following equation 
shows the expression of a rotational symmetric function: 

n— 1 

f(xo,xi, ■ ■ ■ ,x n - 1 ) = ^ p’ifsix 0 ,x 4 , • • • ,£„_!)) 

3=0 

where, f s (-) is the short ANF of /(•). For example, the function f(xo,Xi,X 2 ) = x$X\ ® 
X\X 2 ® X 2 X$ can be denoted as 


2 

f(x 0 ,x 1 ,x 2 ) = ^p’ifsix 0 ,x 1> x 2 )) 

3=0 

where, f s (x 0 ,x 1 ,x 2 ) = x 0 xi. 

As mentioned earlier, the function hbent(') in the cipher is rotational symmetric. The 
short ANF form of hb en t{ ■) is denoted as h s (-). The specifications of hi(-) and hb en t{-) are 
shown in the following equations. 


h a (v o, vi, ■ ■ ■ , v 7 ) = v 0 vi ® v 0 v 2 ® v 0 v 3 ® v 0 viv 2 ® v 0 viV 4 ® v 0 viv 6 

® V 0 V 2 V4 ® V 0 ViV 2 V3 ® V0V1V3V4 ® V 0 VIV 3 V 5 
7 

hbent{v 0,Vl,--- ,Vt) = ^ p 7 (h s (v 0 , Vi, ■ ■ ■ ,V 7 )) 

3=0 

4 

hi(u 0 ,u !,••• ,u 4 ) = 

i =0 

The 256 memory elements in the two CA represent the state of the cipher. From this 
state, 13 variables are taken as input to the combiner function h(-). Six inputs are taken 
from C and seven inputs are taken from M. The set of the input bits, also called tap bits, 
corresponds to the set denoted by T as follows: 

T = {S12, S35, S58, S78, S97, S119, &16, 632, b 47l be 7, b s 0, b 9e , &112} 

Hence, the output function (i.e. the combiner function h(-)) is defined as 


z = h(v o,Vi, ■ ■ ■ ,V 7 ,UQ,Ui,-- ■ ,u 4 ) = hbent{v 0 ,Vl, ■■■ , V 7 ) ® hi(u 0 ,Ui,-- ■ ,u 4 ) 


where, v 0 , i’i,v 2 , v 3 , v 4 , v 5 , v 6 , v 7 correspond to 6 i 6 , Si 2 ,S 35 , s 58 , s 78 , s g7 , Sn 9 , b g6 and it 0 , u 1 , 
u 2 , u 3 , u 4 correspond to 6 32 ,647, 6 67 , b 8 0 , &ii 2 - 

2.4 Scalability 

The design of the cipher can be scaled to any security parameter. Each primitive of the 
cipher is scalable as follows: 

1. A primitive polynomial in GF(2) of any degree is readily available in contemporary 
literature. Thus, a maximum period sequence generator using linear cellular automata can 
easily be synthesized for a given primitive polynomial. 

2. For different security parameters, the M-NHCA can be resynthesized following the 
Algorithm 1. 
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Figure 6: Initialization of the cipher 


3. The final combiner function, h(-), should be changed for different key lengths (e.g. 
128, 192, 256). Moreover, the rotational symmetric bent function hbent(') should also be 
redesigned. However, this can be done for any number of input bits with a very little 
computation. 

Thus, the overall design is easily scalable. The only precomputation is required for 
synthesizing an M-NHCA and finding a suitable hbent(') function. 

2.5 Initialization and Key Setup 

Before generating any keystream, the cipher must be initialized with a key and an 
initialization vector (IV). Here we have used a 128-bit key k and a 128-bit IV. To 
initialize the cipher, the key is loaded into A f and the IV is loaded into £. The M-LHCA 
used is synthesized from a primitive polynomial and it provides maximum periodicity. 
Therefore, the M-LHCA state bits never contain all 0’s while running the cipher and it 
ensures to resist the known IV attack. It overcomes the restriction of Grain of keeping 16 
LSBs to be all l’s. The diffusion rate of M-NHCA evolution is much faster than that of the 
nonlinear block of Grain-128. In 128 clock cycles, all 256 state bits (128 bits of nonlinear 
block and 128 bits of linear block) will be diffused in all 256 bits, which strengthens the 
security against attacks like algebraic attack and fault attack etc. Therefore, the cipher is 
clocked for 128 cycles without producing any keystream and the output of h(-) is fed back 
and XORed with the LSBs of both £ and A f. Thus, the initialization phase is made two 
times faster than that of Grain-128. The initialization phase is depicted in Fig. 6. 

2.6 Cipher Design 

The architectural view of the proposed cipher is shown in Fig. 7. 

Linear block: it uses a M-LHCA £ of CA polynomial f(x) = x 128 + x 29 + x 2 ' + x 2 + 1. 
Nonlinear block: It uses a M-NHCA J\f synthesized from £ as described in Section 2.2. 
Linear function hi(-): It uses five inputs from the M-NHCA JV. 

Nonlinear function hb en t(-)- It uses two inputs from the M-NHCA J\f and six inputs 
from the M-LHCA £ as described in Section 2.3. 

Combiner function h(-): It combines the two functions hi(-) and hb en t( ■)> and finally 
produces the cipher output. 


3 Design Rationale 

This section shows how the proper choices of the design parameters provide better security 
of the cipher. 

Maximum period LHCA. In stream ciphers, linear sequence generators are added to 
the design to serve two purposes, firstly to provide balancedness and secondly to preclude 
any possibilities of power attack. Commonly this is realized using linear feedback shift 
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Figure 7: Structure of the cipher 


registers (LFSR). However, in our cipher, the linear sequence generator is constructed from 
M-LHCA instead of LFSR. This design choice is attributed to the suitability of M-LHCA 
as a pseudorandom number generator (PRNG) due to its better randomness property than 
that of the LFSR [CRNC97]. 

Maximum period NHCA. In case of ciphers like Grain, the faults injected into the 
nonlinear feedback shift register (NFSR) are directly transmitted to the output, enabling 
the attacker to form low degree equations by observing the output difference [KRlla]. 
Solving the set of the equations facilitates the recovery of the internal state of the NFSR 
and subsequently the key. However, the presence of nonlinear hybrid cellular automata in 
the design of the cipher makes the formation of such equations almost infeasible. This 
claim is justified by the experimental results provided in the following section. Another 
notable difference of the M-NHCA from that of the NFSR in Grain is the absence of any 
feedback from the linear generator to the nonlinear one. This feedback is required to ensure 
large period length of the nonlinear register, and to provide mixing of the contents of linear 
and nonlinear registers. However, the M-NHCA A f used here has maximum periodicity, 
and the bent function hb en t (•) uses six values from M-LHCA and two values from M-NHCA 
(as discussed in Section 2.3). In the design, the contents of linear and nonlinear registers 
are mixed in the initialization as well as keystream generation, therefore, such feedback is 
extraneous and subsequently discarded. 

Choice of hi(-) and hb ent (-). The function hi(-) increases correlation immunity and 
resiliency whereas hbent(-) provides high nonlinearity 1 [CS09], [MVV97]. In addition, the 
function hbent(-) is designed to be a rotational symmetric one. This ensures that the 
occurrence of a fault is equiprobable for all the nonlinear terms in the bent function hb en t (■) 
in case of a faulty output. The lack of rotational symmetry of the filter function in Grain 
has already been exploited in [BMS12] which necessitates the use of such function to 
conceal the fault positions. 

Choice of output function h(-). Recovery of the state bits by reverse engineering 
is prevented by the use of a combiner function. For this purpose, a Boolean function h(-) 
is selected as a sum of two parts, a nonlinear bent function hb en t(') and a linear function 
hi(-). The combiner function has nonlinearity 3840 and resiliency 4 that increase with 
iterations while expressed in terms of initial state bits. Because of incorporating rotational 
symmetric bent function hb en t (•), it strengthens the security of the cipher against attacks 

Bent function possesses the highest possible nonlinearity 
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like algebraic attack and fault attack etc. 


4 Security Analysis 

The proposed cipher aims to provide resistance against some related known attacks, in 
particular the fault attack which is the most threatening in the current scenario. This 
cipher is a Grain-like cipher having a nonlinear block (A f) and a linear block (£). In the 
design of the cipher, both J\f and C are implemented with CA. C is a maximum period 
linear CA (M-LHCA). A f is an M-NHCA. Wolfram proposed nonlinear CA with rule 30 
as a better cryptographic primitive [Wol85], [Wol86]. However, in [MS91], Meier and 
Staffelbach have mounted an attack (MS attack) against Rule 30. The following analysis 
shows that the proposed cipher is secure against MS attack, and we also consider some 
general attacks on stream ciphers in this section. Before presenting analysis of the proposed 
cipher against MS attack, we describe the MS attack in detail in the following subsection. 


4.1 Meier and Staffelbach (MS) Attack 

In [MS91], the attack is a known plaintext attack where the keys are chosen as seed of the 
cellular automaton of size n (i.e. the size of the keys is n). The problem of cryptanalysis 
consists in determining the seed (or the keys) from the produced output sequence. 

In [MS91], a general nonlinear cellular automata denoted by {si, S 2 , • • • , s„} of width 
n = 2N + 1 is considered. The state transition functions of all cells of the nonlinear 
cellular automata follow the rule 30. The site vector of the nonlinear CA at time step t is 
(s 4 , Sj, • • • , s-_ 1; s-, s- +1 , • • • , s^jv+i)- The evolution of the i th cell for N cycles is denoted 
by {s 4 } that is (s 4 , s- +1 , • ’' ,s- +Ar ). This bit-sequence is called the temporal sequence. 
The site vector, which is the key of this attack, forms a triangle along with the temporal 
sequence column (i.e. }) for N cycles as shown in Fig. 8. From the knowledge of 


A 

b i-N 


S-_ 


a i+l 


s i+JV 


S, 


t +1 


S ‘ +1 




J+N 

Figure 8: Determination of the seed 

two adjacent columns in the triangle, that is, temporal sequence column (i.e. {s 4 }) and 
right adjacent sequence column (i.e. {s|, 2 }) or temporal sequence column (i.e. {s 4 }) 
and left adjacent sequence column (i.e. {s|_ x }), one can determine the seed. Moreover, 
the knowledge of (s 4 +1 , • • • , s^jy+i) together with the temporal sequence is sufficient to 
determine the triangle to the right of the temporal sequence column and the knowledge of 
(s 4 ,■ • • , s 4 _ x ) together with the temporal sequence is sufficient to determine the triangle 
to the left of the temporal sequence column. 

In [MS91], the site vector, the key of this attack, of the nonlinear CA at time step t 
is (s-_jvi ■ ■ ■ j s 4 _i, s 4 , s- +1 , • • ■ , s 4 +Ar ). The bit-sequence of i th cell is the known output 
sequence, where * = N + 1, that is the sequence of the middle cell and every cell of the 
null boundary nonlinear cellular automata follows Rule 30. The state transition function 
of Rule 30 is as follows: 


s i + 1 — s \-1 ® ( s i + s i+l) 
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where s\ is the current state and s* +1 is the next state of the i th cell. First, a random seed 
(s-+i, • • • , s\ +N ) is generated. 

In the completion forwards process, using the random seed and Rule 30 formula, 

‘ ‘> s *+ 7 v-i can easily computed as it is only the unknown item in the expression 
of Rule 30. In this way, the random seed together with temporal sequence column forms 
the right triangle as shown in Fig. 8. The above formula can be written in another way: 

s \-i = s i +1 ® ( s i + s i+l) 

In the completion backwards process, from the knowledge of right adjacent column (i.e. 
{s- +1 }) in the right triangle and the temporal sequence column (i.e. {s-}), s-^” 2 , 

• • •, s\_ 1 can be easily computed by the above expression since, it is only the unknown item 
in the expression. In this way, the knowledge of right adjacent column and the temporal 
sequence column can compute the left triangle of the temporal sequence column and 
eventually, determine the seed {s\_ N , • ■ ■ , s*_ x ) (completion backwards process [MS91]). 
Otherwise, generating a random seed ( s\_ N , ■ • • , s*_ x ) together with temporal sequence 
column can form the left triangle as shown in Fig. 8 (completion forwards process [MS91]). 
The knowledge of left adjacent column (i.e. {s*^}) in the left triangle and the temporal 
sequence column {s|} can determine the seed - , s\ +N ) (completion backwards 

process [MS91]). 

Eventually, The CA is loaded with the computed seed ( s \_ N , • • • , s‘_ 1 , s\, s- +1 , • • • , s \, N ) 
and produce the output sequence; the algorithm terminates if the produced sequence 
coincides with the known output sequence, otherwise, this process repeats for another 
choice of the random seed. There are 2 N (ss 2*) choices for random seed, so the required 
time complexity is 0(2 Ar )(i.6.0(23")). 


4.2 Analysis against MS Attack 


This work is briefly introduced in [MCI8]. Here, the detailed proof of MS attack resistance 
of the synthesized M-NHCA is shown. 

Let us consider a 3-neighborhood n-bit maximum period null-boundary LHCA denoted 
by {x’o, aq,• • • , x n -i} with rule vector [do, di, • ■ • , d n _i], where, 


f 0, if xi follows Rule 90 

\ 1, if xi follows Rule 150. 


Let the nonlinear functions /jv(2q_2! ^+ 2 ) be injected at position j and /jvOej._ 2 , xt k+2 ) 
be injected at position k, where 


fN{x t j_2,x t j +2 ) — ( x j-2 ' x ]+ 2 )) 
fN{x t k _2,X t k+2 ) = ( x\_2 • X k+ 2 ) 


and k — j = 4 as per criteria of nonlinear function injection into multiple inject points for 
producing M-NHCA W as discussed in Section 2.2.1. The state transition functions of 
five neighboring cells of A f around the nonlinear inject positions j and k respectively, are 


as follows: 

for j th position: 

= Xj_ 3 ® dj-2 ■ x t j _ 2 ® Xj_ 1 (1) 

x*t\ = x]_ 2 ® dj- 1 • x)_ x ® x) ® (Xj _2 ■ x* j+2 ) (2) 

x] +1 = x t j_ 1 ® dj ■ x* ® x] +1 ® dj ■ (. Xj_ 2 ■ a:‘ +2 )® 

{{Xj -3 ® d i -2 • X j-2 ® x )-l) ■ ( xt j +1 ® d 3+ 2 ' X )+2 ® * 5 + 3 )) (3) 

®i+i = Xj ® dj +1 • x) +1 ® x) +2 ® (ar*-_ 2 ■ x) +2 ) (4) 

Xj+2 = x ] + l ® d j+2 ' X )+2 ® x j+ 3 (5) 
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for k th position (in terms of j with k = j + 4): 


x t+1 

*1+2 

= 

*5+i 

© dj+2 

• *5+2 

© 

*5+3 



(6) 

T t+1 

*1+3 

= 

*5+2 

© 4j+3 

• *5+3 

© 

* 5+4 

® (*5+2 

' *5+6) 

(7) 

T t+ 1 

*1+4 

= 

*5+3 

ffi dj+4 

■ * 1+4 

ffi 

*5+5 

ffi dj+ 4 • 

(*5+2 ' *5+6)® 


((*5+i 

© 

dj+ 2 

' X/_j_ 2 ffi 

*5+3) ' 

(*5+5 

® 6^1+6 • 

*1+6 ® *1+7)) 

(8) 

r t+i 

*1+5 

= 

*1+4 

ffi dj+5 

■ *5+5 

ffi 

*5+6 

® (*5+2 

' *5+6) 

(9) 

T t+1 

*1+6 

= 

*5+5 

ffi dj-|-6 

■ *5+6 

ffi 

*5 + 7 



(10) 


where (xq, x\, ■ ■ ■ , x^_ 1 ) is the site vector of M-NHCA M' at time step t and (xg + ,x* +1 , • • • , 
x£t x ) is the site vector at time step t + 1. The state transition functions for other cells 
that is x\ + ,0 < l < j — 1 and j + 7 <l< n — 1 can be formed by 90/150 rules. It is noted 
that (5) and (6) shown above are the same equation, because right of right neighbor of j th 
cell and left of left neighbor of k th cell denote the same cell position. 

Suppose, we are given the output sequence {x\} (i.e. the temporal sequence {x* +3 }) 
up to the unicity distance N as shown in Table 2, where i = j + 3 and * = k — 1 since 
k — j = 4. Now, our aim is to determine the seed (xq, x\ ,• • ■ , x*_ x , x*, x- +1 , ■ • • , x/_ 1 ) 
from the knowledge of given output sequence {x*}. Here, the site vector (xq, x \, ■ • ■ , xj l _ 1 ) 
forms two triangles (left and right) across the output sequence column. The right triangle 
is determined in the completion forwards process and the left triangle is determined in the 
completion backwards process. 


Table 2: Computing seed for M-NHCA N' 


*0 


* 5-6 

* 

x i- 5 
* 


*5-i 

*5 

*5+i 

* 

*** 

*n-l 

* 

T t+1 

x 0 


* 

* 


x t+1 

* 5 +1 

x i+l 


T *+! 
x n— 1 



* 

* 


r i+2 

x i-l 

T ^+ 2 

r* +2 





* 

* 


r *+3 
x i- 1 

* 5+ 3 

^+3 















* 

* 










* 






















T i+^V-1 

X 2-l 


T *+W-l 

x i+l 









r t+N 





represents "guess" value 


We choose a random seed (x- +1 , • • • , x^_ :1 ) out of 2 n possibilities. Equation (7) 
can be written in another way: 

*5+2 = *5+3 ® d j +3 ' *5+3 ® *5+4 ® (*5+2 ' *5+6) (H) 

Now, x *-_|_2 can be determined from (11) with probability ^. In the completion forwards 
process (i.e. left to right approach), x‘-+ 4 , x*//g can be computed using (8) and (9) respec¬ 
tively, in the 2nd rule set. x‘-+ 6 , x*^ 7 , • • • can be computed as per 3-neighborhood 
90/150 rule. For next time step (i.e at time step t + 2) we can compute all above values 
again using the 2nd rule set. In this way, right triangle of the temporal sequence column 
(i.e{x\ }), shown in Table 2, can be determined. Here, the only knowledge of right adjacent 
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column in the right triangle together with temporal sequence column can not determine 
the seed (xq, ■ ■ ■ , x*_ 4 ). Equation (5) can be written in another way: 

x j+ 1 = *j +2 ® d j+ 2 ’ x j+2 © x j+ 3 (12) 

The column {x* +1 } can be computed from (12). Similarly, (4) can be written in another 
way: 


*5 = *5+1 © d J+l ■ *5+1 © *5+2 © { x j- 2 • *5+2) (13) 

The column {x*} can only be computed from (13) if the column {x*_ 2 } (i.e.{x-_ 5 }) is 
chosen at random out of 2^ +1 possibilities. Similarly, the column {x(_-j} can only be 
computed from (3) of the 1st rule set if the column {x*_ 3 } (i.e.{x-_ 6 }) is chosen at random 
out of possibilities, because {x*-_ 3 } is unknown. The columns {x*_ 4 }, {x*_ 5 }, • • • , {xg} 
can be computed as per 3-neighborhood 90/150 rule. Here, each column is computed by 
bottom-up approach. In this way left triangle of the temporal sequence column (he{x*}) 
can be formed (completion backwards process) and hence, the seed (xq, ■ ■ ■ , xj_ x ) can be 
determined. 

Eventually, the CA is loaded with the computed seed (xq, • • • , x‘_ 1 , x\, x| +1 , • • • , x„_■)) 
and produce the output sequence; the algorithm terminates if the produced sequence 
coincides with the given temporal sequence, otherwise, this process repeats for another 
choice of random seed (x- +1 , • • • , x^_ x ). 

The random seed (x* +1 ,--- ,x( l _ 1 ) can be chosen with 2 n_ b +1 ) possibilities. Since, 
Xj _|_ 2 is determined from (7) with probability ,), therefore, for the column j + 2, 
values can be computed deterministically and other ”~h +1 ) va i ues can chosen randomly 

with 2 possibilities. The column j — 2 is chosen at random out of 2 J+1 possibilities. 

The column j — 3 is chosen at random out of 2 J possibilities. Therefore, the required time 
complexity is: 


2n-(i+i) 2 " 2 +1) 2 J+1 2 J = 2^ n ~ i ~ 1 ^ 2 2 -i +1 


where j = i — 3 and i = the middle cell position of the CA. Hence, the required time 
is greater than 2 n (reqd. for exhaustive search) for n > 9. 

Following the similar approach, we can determine the seed (x* +1 , • • • , xfrom the 
given output sequence {x*} upto the unicity distance N by guessing the seed (xg, • • • , x*_ 4 ) 
out of 2* possibilities as shown in Table 3. Here, the left triangle is determined in 
the completion forwards process and the right triangle is determined in the completion 
backwards process. Equation (7) can be written in another way: 

x> j +4 = * 5+3 © * 5+2 © dj+3 ■ * 5+3 © (* 5+2 ' * 5 + 6 ) ( 14 ) 

In the completion backwards process, the column {x* +4 } (i.e. {x* +1 }) can only be computed 
from (14) if the column j + 6 is chosen at random out of 2 n_fc possibilities and similarly, the 
column {x‘ +5 } can only be computed from (8) if the column j + 7 is chosen at random out 
of 2 n ~ k ~ 1 possibilities. Hence, the seed (x| +1 , • • • , can be determined. Therefore, 

the required time complexity is: 


n—k c\n—k— 1 


2\2 n_ .2 


_ 2^-1- 2 n 


— 2k—l 


= 2 


n+- 


where k = j-\-A=i+ \ and i = the middle cell position of the CA. Hence, the 
required time is greater than 2 n (reqd. for exhaustive search) for n > 5. 
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Table 3: Computing seed for M-NHCA J\f' 
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x i -1 
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represents "guess" value 


Note that the synthesized M-NHCA is a null boundary CA, and there is one tap bit 
(i.e. i-th cell) from which the output sequence { x \} is given. Nonlinearity injection in both 
sides of the tap bit can resist MS attack for n > 9. 

In the proposed cipher, the nonlinear block is designed with a synthesized 128-bit M- 
NHCA. The set of tap bits taken from the nonlinear block is {&i6, 632, 647, ^67 j 6go, ^96> ^112} 
for the combiner function (as discussed in Section 2.3). Nonlinearity is injected in both 
sides of each tap bit to resist MS attack. The set of injection points has already been shown 
in Section 2.2. The distance between 1st and 3rd tap bits of a sequence of three consecutive 
tap bits is maintained as greater than 9. The distance for the sequence (616,632,647) is 
47 — 16 + 1 = 32, and the distance for the sequence (6 32 ,647, 6 6 7) is 67 — 32 + 1 = 36, and 
so on. Thus, the M-NHCA can resist MS attack even if the tap bits are known. 

4.3 Algebraic Cryptanalysis 

Algebraic cryptanalysis depends on constructing a probabilistic pattern of the outputs 
to distinguish the cipher from a random permutation and solving low degree equations 
from them. As M-LHCA involves only linear terms, a combiner Boolean function h(-) 
constructed out of it is immediately susceptible to algebraic attacks compromising its 
security. This can be prevented by introducing nonlinear function in the design along 
with the M-LHCA and h(-). This is achieved by the nonlinear transition function of the 
M-NHCA which causes the algebraic degree of the output expressed in terms of initial 
state bits to increase. Table 4 shows d-monomial characteristics along with Algebraic 
Degree and number of state variables of the output of the cipher with iterations; where the 
output bit of the cipher depends on 128 state variables with Algebraic Degree 6 at iteration 
8 and the number of nonlinear terms in the output expression is 297201 at iteration 8 
and these increase with iterations. Hence, after 128 clock cycles (i.e. initialization phase), 
the output bit will be dependent on almost 256 state variables with higher Algebraic 
Degree. The increase of number of nonlinear terms and the Algebraic degree of a cipher 
also increases the attack complexity. Therefore, from the result of Table 4, it is expected 
that the recovery of the internal state from the output is beyond practical measure. 

4.4 Linear Approximation and Correlation Attack 

The linear cryptanalysis technique depends on approximating the output with an affine 
function. Its success is directly related to the biases present in the output bits of the cipher. 
The design choice of the cipher precludes such possibility as the output of both C and J\f 
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Table 4: Different characteristics of the cipher output 


Itr# 

Rsly 

Alg. 

Deg. 

# of 

Vars. 

Deg-1 

Deg-2 

Deg-3 

Deg-4 

Deg-5 

Deg-6 

Deg-7 

Deg-8 

0 

4 

4 

13 

5 

24 

32 

24 

0 

0 

0 

0 

1 

7 

6 

40 

13 

154 

519 

1057 

387 

35 

0 

0 

2 

14 

5 

50 

16 

335 

1646 

4528 

531 

0 

0 

0 

3 

14 

6 

64 

17 

462 

2734 

9146 

2964 

250 

0 

0 

4 

25 

6 

90 

29 

1056 

9267 

46644 

9869 

506 

0 

0 

5 

29 

6 

99 

35 

1217 

11542 

62096 

12432 

578 

0 

0 

6 

32 

6 

102 

37 

1250 

12183 

63930 

8554 

292 

0 

0 

7 

36 

6 

126 

41 

2343 

30881 

230041 

34172 

1140 

0 

0 

8 

34 

6 

128 

45 

2402 

31832 

239044 

23386 

537 

0 

0 

9 

37 

6 

130 

45 

2521 

34519 

264520 

26458 

681 

0 

0 

10 

33 

8 

152 

50 

4108 

72617 

775540 

638331 

808594 

592230 

21613 


# of Deg-3 monomials at iteration #6: 12183 Rsly = Resiliency 


are balanced. Moreover, nonlinearity is incorporated to prevent the affine approximation. 
This is accomplished with a nonlinear sequence generator J\f and a combiner function h(-). 
The nonlinearity of the entire state of A f can be ascertained by studying the nonlinearity 
of the injection points. Such a study is furnished in Table 5 which shows the increase in 
nonlinearity of the injection points with number of iterations. Moreover, the final combiner 
function h(-) has nonlinearity 3840 that also increases over time while expressed in terms 
of initial state bits. 

Correlation attack is a class of known IV attack which exploits the statistical weakness 
of the underlying combiner function h(-). It works by exploring the dependency of the 
output bit-stream on IV due to poor choice of the combiner function. Security against 
such attacks requires a careful choice of a Boolean function providing certain degree of 
immunity against correlation. This is obtained by adding 5 linear terms by the function 
ftj(-) to the combiner function along with hb en t{') resulting in a correlation immunity of 
4. Moreover, the addition of hi(-) makes the combiner function a balanced function and 
makes it balanced with iterations. While evolving CA, each variable of the combiner 
function h(-) is updated based on some linear terms and some nonlinear terms of initial 
state bits of both the linear CA and nonlinear CA. Therefore, the combiner function h(-) 
gets more linear terms of CA states with iterations and accordingly the number of linear 
terms in the combiner function h(-) increases during initialization. Hence, the resiliency of 
h(-) increases with iterations. This has been shown in Table 4, where the number of Deg-1 
monomials and resiliency are increased with iterations. Thus, due to the faster growth of 
resiliency of the output bit of the cipher, it is expected that this cipher is resistant against 
Correlation Attack. 


Table 5: Nonlinearity of A f for various iterations 


Itr# 

Nonlinear function injection points 

13 

17 

29 

33 

44 

48 

64 

68 

77 

81 

93 

97 

109 

113 

1 

4 

4 

48 

48 

8 

8 

16 

48 

16 

48 

48 

8 

48 

8 

2 

32 

64 

64 

128 

32 

128 

128 

64 

64 

64 

256 

128 

64 

64 

3 

128 

128 

128 

128 

128 

768 

512 

256 

1536 

512 

512 

256 

256 

1024 

4 

1536 

768 

3072 

512 

384 

1024 

1536 

256 

3072 

512 

512 

512 

768 

2048 
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4.5 Statistical Analysis 

Statistical analysis is another powerful cryptanalysis tool that is used to cryptanalyze all 
kind of symmetric ciphers. To design a cipher, it is of utmost importance to make sure 
that the generated output stream has negligible bias which cannot be exploited by any 
adversary to mount an attack. For this purpose, a statistical test suite is developed by 
National Institute of Standards and Technology (NIST) that is known as NIST-statistical 
test suite. 100 bit-streams with each stream of 1,000,000 bits are generated from the 
proposed cipher and stored in a data file, and then the data file is fed to NIST test suite. 
The generated bit-streams pass all tests of randomness property by NIST test suite. 


4.6 Analysis against Fault Attack 

Fault attack has gained considerable attention from the research community. As mentioned 
earlier, the eSTREAM winners like Grain, Trivium, have been shown to be vulnerable 
against such attacks [HS04], [BMS12], [HR08] irrespective of their theoretical security. 
These attacks were successful due to the low diffusion rate of the feedback shift register. 
However, the presence of cellular automata and the use of rotational symmetric bent 
function hb en t{') in the cipher nullifies such scenario as CA are known to possess higher 
diffusion rate than FSRs. 

In this work, we have studied the effects of injecting single-bit fault into various 
locations of A f and C. After the initialization phase, we run the cipher for a target cycle 
T to inject fault. We refer to this point as the base point. Let the state of the cipher be 
(b^ ,• • • ,bi 27 ,SQ ,sf ,■ ■ ■ ,sf 2 t) at the base point T. Single-bit fault is injected either in the 

NHCA A F or LHCA C at time T. Further, we denote the output difference of faulty and 
fault-free keystream at iteration t after the base point by <5 4 , i.e. S* = Zf ault _f ree + Zf ault . 

is used to obtain internal state of the cipher (i.e. 6 q ,• • • ,6f 27 ,sJ,sf ,• • • , 5 ^ 7 ) at the 
base point T. After injecting single-bit fault at the base point T, we have run the cipher 
for t cycles (say, t = 10). Asa result, only 13 bits of A f at the base point T can be obtained 
and no bits of C can be obtained as shown in Table 6. 

The hbent(') function contains 80 nonlinear terms with 8 variables and maximum degree 
4, and each variable appears in 30 nonlinear terms among 80 nonlinear terms. Moreover, 
the design of the cipher increases the degree, number of variables and number of non-linear 
terms in the output expression with iterations as shown in Table 4, so S * will contain 
large number of nonlinear terms with higher degree with iterations and hence, it is hardly 
possible to obtain all 256 bits at the base point (i.e., b^,bf ,• • • A127A0 > s iY ■ • ,sf 2 7) and 
to recover the key from this internal state. Thus, the design is expected to be resistant 
against fault attack. 


Table 6: Fault location vs. NHCA bits obtained 


Fault 

location 

Itr # 

NHCA 

bits 

Fault 

location 

Itr # 

NHCA 

bits 

Fault 

location 

Itr # 

NHCA 

bits 

627 

4 

632 

^46 

4 

643 

^75 

4 

bso 

b:i\ 

4 

^28 

bbO 

2 

647 

^79 

4 

^76 

631 

6 

^36 

b&2 

4 

bb 7 

bsb 

2 

&80 

hb 

2 

&32 

^66 

4 

^63 

bl 07 

4 

bll2 

&42 

4 

647 

bm 

5 

671 

bm 

5 

bios 

&46 

3 

^51 

^70 

2 

b ^7 

bub 

2 

bi 12 
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5 Hardware Implementation 

In this section, we provide hardware results of the proposed stream cipher (Fig. 7), 
and the comparison with Grain-128 [HJMM06] and other Grain-like CA based ciphers 
[KRllb], [GR15]. The ciphers shown in Table 7 are all implemented on Xilinx Spartan 3 
XC3S200-4FT256 device using Xilinx 14.2 synthesis tool. The result shows that Grain- 
128 is hardware efficient than the other ciphers while the throughput to area ratio (i.e. 
efficiency) of the proposed cipher is 1.434 which is better than grain-128. The proposed 
cipher achieves two times speedup in initialization than Grain-128. 

Table 7: Comparison with Grain-128 and other CA based ciphers 


Ciphers 

No. of 

4-input 

LUTs 

Maximum 

clock 

frequency 

(MHz) 

Maximum 

throughput 

(Mbps) 

Area 

(slices) 

Throughput / 
Area 

(Mbps/slice) 

Setup 

(cycles) 

Grain-128 

27 

178.094 

178.094 

227 

0.785 

256 

NOCAS 

761 

365.764 

365.764 

514 

0.711 

64 

CASca 

269 

238.892 

238.892 

137 

1.744 

128 

Our cipher 

325 

236.630 

236.630 

165 

1.434 

128 


Table 8 shows the performance variation with several nonlinear function injection points. 
It is noticed that the efficiency increases with decrease of the number of injection points. 
The result shown in Table 8 gives some directions how the number of injection points 
governs the performance of the cipher. To prevent MS attack, maintaining injection points 
in both sides of the tap points is necessary that we have shown the proof in Section 4.2. 
So the decrease of injection points disturbs this property and makes the cipher vulnerable 
against MS attack. 

Table 8: Cipher-performance with nonlinear function injection points 


No. of 

injection 

points 

No. of 

4-input 

LUTs 

Maximum 

clock 

frequency 

(MHz) 

Maximum 

throughput 

(Mbps) 

Area 

(slices) 

Throughput / 
Area 

(Mbps/slice) 

14 

325 

236.630 

236.630 

165 

1.434 

12 

325 

237.869 

237.869 

165 

1.442 

10 

325 

237.869 

237.869 

165 

1.442 

8 

323 

237.869 

237.869 

164 

1.450 

6 

322 

237.869 

237.869 

163 

1.459 

4 

318 

237.869 

237.869 

161 

1.477 


6 Conclusion 

In this paper, we have studied and analyzed the cryptographic properties of maximum 
period nonlinear CA. The CA is synthesized by injecting nonlinear functions in multiple 
inject points. Use of these nonlinear CA makes the cipher resistant against MS attack. 
Unlike Grain-128, our design eliminates the feedback function from linear to nonlinear 
block. This elimination and the use of rotational symmetric bent function used in the 
combiner make the cipher strong against fault attack. This CA based cipher is scalable, 
and very well suited for hardware which is evident from the FPGA implementation of the 
design. 
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